Compile the plugin by-default with hardening flags
EionRobb opened this issue · comments
Original report by Avamander (Bitbucket: avamander, GitHub: avamander).
Due to the fact that purple-hangouts is a somewhat sensitive piece of software with a rather big attack surface I think it's really worth compiling it by default with:
-
-fstack-protector-strong -Wstack-protector
(-fstack-protector-all
would work too, the performance impact is unnoticeable) - Protects against stack overflow -
-fstack-clash-protection
- Protects against stack clash attacks -
-D_FORTIFY_SOURCE=2
- Protects against possible misuses of sensitive functions, http://man7.org/linux/man-pages/man7/feature_test_macros.7.html -
-Wformat -Werror=format-security -Wformat-security
- Helps avoid format errors -
-Wl,-z,relro,-z,now
- For full RELRO
I compiled it myself with these flags and it has worked perfectly so far